Monday, December 26, 2011

Today users are whole heartedly embracing next-generation smart phones and tablets. Employees are bringing them to work and using these device extensively. But the corporate IT departments are yet to accept these devices. Most IT departments are forced to allow only the corporate emails on these smart devices. At most work places, these smart phones or tablets cannot be connected to the corporate network or even access corporate data thorough VPN.

The main challenge for corporate IT has been security management on these mobile devices. Unlike laptops, the Apple iPhones, Apple iPads, or Google Android devices do not have software functions built for corporate level security management. As a result, these devices cannot be used in a corporate network - as they pose a serious security risks. But then not allowing smart phones or tablets poses a bigger risk to the business. Businesses that do not embrace new technology will become obsolete, and lose its competitive edge. Having mobile smart devices at the hands of employees can create competitive advantages in terms of better customer service, faster response to issues and lower operating costs. So, in other words, the corporate IT departments are forced to look at various solutions to this problem.

There are two possible solutions: Virtual Desktops or Information Security Management (ISM) app on the mobile device.

Virtual desktops is a relatively new technology and is a disruptive technology. VDI forces massive changes in IT management, requires new server hardware, new networks, new storage. In short VDI is expensive and needs lots of planning, staged and carefully planned implementation. In the long run VDI will be a perfect solution, but there is a need for an interim solution.

The interim solution is a simple ISM app running on the smart phone.

In my earlier blog titled "Product Management- How to beat iPad", I had written about creating a tablet with strong built-in security system. In this article, I am taking that idea little further - by defining what the security requirements are for a mobile smart device.

ISM Application Solution

Information Security Management software is an ideal solution for managing mobile smart devices. A similar ISM solution will be needed to manage the Virtual Desktop instances.

Let's take a look at what functions the ISM app is expected to provide.

1. Memory resident software

The application has to be 'Memory Resident' - i.e., the device OS is not permitted to shut down this application. The ISM app is started on boot-up and is shutdown only when the device is shut down.

2. Uses multi-part authentication system & then allocated privileges based on user rights.

A secure multi-part authentication system (as a service) is used to authenticate the user. Once the user is authentication, the user privileges & security settings on the device is set accordingly. ISM software will implement a policy based access control thus allowing a large scale and yet flexible deployments. (Also see: Need for a Central Multi-Factor Authentication as a Service)

If the user fails the authentication checks for a preset number of attempts, the ISM software will wipe out all data on the device. Since the data gets synchronized with a remote server - loss of user data is minimized and securing the corporate data at the same time.

4. Run and manage compliance audits

The ISM app can be configured remotely to run compliance audits and report policy violations, application inventory, compliance status tracking etc. to the remote server.

5. Image lock - users cannot add/delete software programs or apps.

Based on user privilege settings - users can be allowed/dis-allowed to add/delete software programs/apps. For all user types, there will be one golden image which can be pushed remotely to reset the user device to a set configuration.

6. All local data is synchronized automatically when connected.

All user generated data is temporarily stored on the device and is synchronized automatically when the device is connected to Internet. This data synchronization happens in the background without user intervention.

7. All local data on the device is encrypted with AES 256 encryption standards

Data stored in the device: emails, calendar, contacts, documents etc. is encrypted using a secure key generated by the multi-part authentication system. Only the authentication system knows the decryption keys. This is a critical security requirement. Currently, only Blackberry has such a system.

Remote device configuration and application management is done in the background without disrupting the user.

9. SMS/MMS, IP traffic supervision

All data traffic on the device is monitored for potentially dangerous threats, the logs are created and uploaded to the central server for analysis. Threat from hackers is too much, so to prevent major hacks, all data traffic is monitored for suspicious behavior and the logs are uploaded to security management solutions such as RSA Envision

To prevent data loss in case of a lost/stolen device, the ISM software can be remotely triggered to wipe out all user data. The ISM app can also broadcast its geographic information to the server - when triggered remotely. This functionality currently exists in Blackberry phones

11. Remote administration and control for help desk.

In case the user calls the help desk, the help desk employee must be able to take control of the device and solve the user issue.

12. Internet firewall as per corporate policy

Organizations must be able to protect the users from unauthorized or unsecure websites. The ISM firewall maintains a list of permitted and non-permitted websites, and controls the access to Internet based on the corporate policies.

Control, compliance, and convenience is the key for successful ISM application. The user functions must not be disrupted or hindered, while providing all the security to the user and the organization.

ISM Central server

To monitor & manage the mobile devices, the ISM app connects to the ISM server application over the VPN/Internet. ISM server is essential to help IT admins plan, maintain all the mobile deployments. The administrators can centrally implement management polices, configuration changes, and monitor the mobile devices. The ISM server also provides a user dashboard to help operators manage mobile devices.

The functions of the ISM server will be manage the mobile devices. The functional features of the ISM server will be described in a later blog.

Closing Thoughts

Today there is a strong need for a ISM application - which will enable all mobile devices to be used with a corporate network without compromising on safety and security. In this article I have briefly outlined the functionalities of such a software system. The software system has two components, the client app that resides on the mobile device and a server that runs in a data center. I have limited the scope of this article to the client side app and will write about the server functionality in future.

Control, compliance, and convenience is the key for successful ISM application.